DNS Over HTTPS: Not As Private As Some Think? (sans.edu) 83
Long-time Slashdot reader UnderAttack writes:
DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol.
But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].
The Internet Storm Center is offering some data to show how this can be done.
Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.
It notes that Firefox "seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed." And an open Firefox bug already notes that "With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant."
But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].
The Internet Storm Center is offering some data to show how this can be done.
Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.
It notes that Firefox "seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed." And an open Firefox bug already notes that "With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant."
Tunneling DNS through Tor seems the safest (Score:3, Insightful)
Bets for privacy would be to tunnel DNS through Tor (like Torbrowser does).
And assuming your system caches DNS results performance shouldn't matter much at all.
Most DNS-over-HTTPs proposals are bad in so many ways. The guys pushing for DNS-over-HTTPs are the worst privacy offenders out there (Google, Cloudflare). Also, they tend to be proposals to make browser DNS different from system DNS - where DNS should really be a system setting, not a browser setting. I think DNS-over-HTTPs is mostly a way for Google to gather more data on people; and to avoid things like pi-hole based add blockers.
Re: (Score:2)
Re:Tunneling DNS through Tor seems the safest (Score:4, Interesting)
When I think of Cloudflare, I don't think "privacy offender". Other than the 8chan decable a few months ago, which was questionable, I can't think of anything else. My point is that Cloudflare may be the best public option (resolver, DNS proxy, etc.). If I'm wrong, please let me know!
Re: (Score:3, Interesting)
Despite the best efforts, they're forced to spy - and forced with gag letters to not tell you:
https://www.techdirt.com/artic... [techdirt.com]
Privacy depends on technological solutions.
No matter how well intentioned a company is - they still need to abide by the laws of everwhere they do business. For large companies (including Cloudflare) that means China, the US, Russia, and all the other major countries.
Re:Tunneling DNS through Tor seems the safest (Score:5, Informative)
Mozilla, the first to implement DoH in a browser, are very privacy focused. They screw up sometimes but are also by far the best option available.
DoH is better than what we have now (nothing) and is actually happening which is more than you can say for the other options.
Re:Tunneling DNS through Tor seems the safest (Score:4, Interesting)
Well, basically yes.
I mean the headline is trivially true: I'm sure you could fine at least two people in the world who overestimate the security therefore making it "less secure than some think". But while it's not prefect, in the UK it prevents the May spying machine from recording every DNS query you make and in the US it stops shitty companies like Verizon, AT&T, etc doing the same to sell your data to advertisers.
Not prefect but a lot better than nothing.
Re: (Score:2)
Sad to think that May was relatively benevolent compared to this lot...
Re: (Score:2)
Yes, indeed. She was awful, secretive and rigid. But what we have now...
Corbyn would tear down everything in the quest of his socialist utopia. Johnson would do the same out of pure spite.
Re: (Score:2)
I just can't see as Corbyn would have been that bad. Certainly the good would have outweighed the bad, and given the country a rebalancing that it needs.
Anyway we are fucked now. The UK is finished.
Re: (Score:2)
I just can't see as Corbyn would have been that bad.
I'm not that sure. The one thing I'm glad about in the previous election is apparently anti semitism really doesn't fly in the UK, and for that I am glad. I think Corbyn with a strong majority would have been equally dangerous if not more so. I think about half of what he says is really good and the other half is really not, but I think he has a quasi religious zeal. However there was never any chance of him getting a strong majority and the Johnson govern
Re: (Score:2)
The main thing Corbyn had going for him was that he genuinely cares about people. Even if you disagree with his methods you can't really argue that he isn't try to make things better for people.
I don't know if I'll be okay. I will probably lose my job but at least for the moment there are plenty more. It's much worse for the rest of my family. Glad you are okay though.
Re: (Score:2)
The main thing Corbyn had going for him was that he genuinely cares about people. Even if you disagree with his methods you can't really argue that he isn't try to make things better for people.
Well cares for people except arguable the Jews. Ahem. That dig aside, yes I agree. I think he is trying to make things better, I think unlike Johnson what he wants to do, he wants to do for the people. Unfortunately, intent doesn't really matter and I think both would be capable of immense damage.
I don't know if I'll
Re: (Score:2)
Thought May's spying was curtailed by the EU (twice).
https://arstechnica.com/tech-p... [arstechnica.com]
I checked and Opera has some version of DOH.
https://blogs.opera.com/deskto... [opera.com]
As for BoJo and Brexshit, I'm planning to migrate.
Better alternative (Score:2)
DoH is better than what we have now (nothing)
Huh, no. We don't have "nothing".
Privacy wise, we already have "better" options, as the top poster noted: we already have Tor.
Re: (Score:2)
You think integrating Tor into the browser for DNS lookups is a good idea? You aren't concerned about the performance and load on the Tor network?
That's already the case (Score:2)
You think integrating Tor into the browser for DNS lookups is a good idea?
Whenever using a socks5 proxy, the default browser behaviour (at least in firefox) is already to proxy the dns requests too.
There are even sub parts or tor exit nodes howto about how to setup a good descent and secure dns.
You aren't concerned about the performance and load on the Tor network?
It's not the 00ies anymore.
Tor network has reached excellent level of load-balancing.
In all my regular experience, the performance of the Tor network is pretty decent for anything that isn't high bandwidth time critical (i.e.: you might not easily do real-time 4k video calls, but otherwis
Re: (Score:2)
The system doesn't do any DNS caching, because the browser is doing it independently - it isn't going through the OS's API at all. The browser does its own caching.
Eventually this might well become an OS function - applications wouldn't even see any difference. I'm sure Microsoft would love the excuse to 'protect user privacy' by making sure they alone can monitor DNS queries, given how much telemetry Windows 10 sends back already.
Re:Tunneling DNS through Tor seems the safest (Score:4, Informative)
I think DNS-over-HTTPs is mostly a way for Google to gather more data on people; and to avoid things like pi-hole based add blockers.
Okay stop right there. Google's implementation in Chrome has nothing to do with gathering more data. THEY ALREADY OWN YOUR SYSTEM. They can already gather any data they want. They already collect a trove of data from Chrome and at any time can push out a software update to change what they collect. Your comment makes absolutely no sense what so ever and comes across as conspiracy nuttery.
But let's step back for a moment. You said worst "privacy offenders". Let's discuss that term. What way is Google offending? They collect you data in troves. "Worst privacy datahoovers? That makes a lot of sense". But what is offensive about it? Google has shown over the past 20 years that despite collecting everything about everyone they don't actually pass that data onto others, they only pass other's information your way and sell aggregate statistics.
Google and Cloudflare pushing DoH is still a net win because I trust both entities far more than than actual "offenders", namely ISPs who have shown to sell data wholesale to anyone with a credit card. Those are the true "privacy offenders".
Re: (Score:2)
Google and Cloudflare pushing DoH is still a net win because I trust both entities far more than than actual "offenders", namely ISPs who have shown to sell data wholesale to anyone with a credit card. Those are the true "privacy offenders".
You are deluded if you think that your ISP does not know what sites you are visiting when you use DoH. As for your trust in Google and Cloudflare, that's nothing short of weird and misplaced.
Re: (Score:3)
1) good luck getting Microsoft to put DoH into Windows. They won't - unless its to "seamlessly" allow you to choose any one of Microsoft's own DNS servers...
2) Google hates the idea, they're being forced to do it, but they'd never have if it wasnt for Mozilla.
3) You can change which DoH provider in the browser. So its not any different to the current DNS networking entry.
4) performance is not an issue - every page on every site you look at is over https. So the odd DNS lookup isn't going to impact anything.
Re: (Score:2)
1) already in the works https://nakedsecurity.sophos.c... [sophos.com]
VERIFY ! (Score:2)
I do not know why firefox or other DoH clients do not verify the DNS answers to their query... its like they trust the DNS servers and do not think they could be possible intercepted or manipulated....
Re: (Score:2)
How does 'routine' MITM work? (Score:3)
Do home ISPs "routinely" require subscribers to install the trusted root certificate issued by an ISP? Or do home ISPs use some technique interception method that you'll explain that doesn't require installing a root certificate?
Re: MITM (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
You could try just making more queries and checking them against each other; but that isn't obviously more resistant to an attacker who you are concerned might be able to tamper with your traffic, including HTTPS, and will likely come up with a lot of false pos
Want secure VPN (Score:1)
Use DNS-over-TLS instead (Score:3)
Re: (Score:2)
Only to have the port blocked? What's the point?
Re: (Score:3)
Re:Mozilla Approved (Score:5, Informative)
Re: (Score:2, Interesting)
No, you only wish it were the opposite. If the requirement were that the DoH operator must *never* provide information regarding queries to anyone at all, ever, without a court order then you might have something. If the requirement does not preclude the operator from having to have a proper court order to provide the information to *ANY* third-party, then there is in effect no protection against giving that information to anyone who asks for it under any circumstance whatsoever.
There are lots of weasel w
Re:Mozilla Approved (Score:4, Insightful)
You are going from "ISP sells my browsing history" to "at least Mozilla checked they aren't complete asshats."
Expecting them not to comply with legal obligations is unrealistic. If you need that you know what you have to do. For most people who use the default ISP servers without even realising it this is a huge improvement.
Re: (Score:3)
Article 1 states that no personal data may be retained fo more than 24 hours unless its required to operate the service. The idea is good: you can't hand over data to the authorities if you no longer ha
Re: (Score:3)
No, you only wish it were the opposite.
Actually you're the one doing the wishing. Here let me quote the relevant idiocy: " is that you must provide the DNS query log to whomever asks for it"
The GP published the privacy policy and has found your statement to be 100% false. Now you may resubmit your statement with the absence of the word must, but really what would be the point now seeing how you have already outed yourself as a conspiracy nutjob?
Comment removed (Score:4, Informative)
Anything over HTTPS depends on Cert Trust (Score:2)
Re: (Score:2)
Re: (Score:2)
The "Compelled certification attack" is when men from the government turn up and calmly explain that you *will* sign their certificate, and if you ever mention this request to any other person then you will be thrown into the type of prison that doesn't keep records.
Re: (Score:2)
The "Compelled certification attack"
How does Certificate Transparency not defeat this? Chrome appears to require CT nowadays [feistyduck.com].
Not good but better than nothing (Score:4, Interesting)
Considering ISPs started going bonkers over DoH then it seems very clear that they are selling your information. Even if your DoH provider is selling your information, they will have to work harder to positively identify you.
Sure, it's like going into battle with just a shield but it's better than going into battle stark naked.
Re: (Score:2)
What's needed (and would be a simple thing) is an application which would do DNS lookups on random domains, all the time. Pollute their feed and it becomes worthless. I'd certainly give up 1 Mbps to not only mess with their surveillance but to work their server at the same time.
(It probably already exists, and someone will step in to point it out.)
Re:Not good but better than nothing (Score:4, Informative)
They're not selling your information. The fact that nearly all sites are https means the only thing DNS tells your ISP is what domain you're trying to visit. They don't even know the full URL. DoH doesn't change this - after the site's domain has been resolved into an IP address, your browser still has to request data from that IP address. Your ISP can see this data request since your computer needs to tell their network where to send your data packets. So a quick reverse DNS lookup tells them what domain you're visiting even if you use DoH.
The reason ISPs are opposed to DoH is because most people never change their DNS server away from the default, so end up using the ISP's DNS server. When you make a typo in a URL and ask for a nonexistent domain, instead of the browser displaying a "no such domain found" error message, your ISP's DNS server redirects you to a landing page they've set up with search terms based on what they think you were trying to type. They sell space on these landing pages to websites.
DoH would completely dry up this revenue stream, since the browser's DNS (over HTTP) would override the ISP's DNS server. Apparently the revenue the ISPs get from these error landing pages is substantial enough that it's worth it for them to try to block DoH.
Re: (Score:3)
They sell space on these landing pages to websites. DoH would completely dry up this revenue stream.
It's definitely nothing to do with traffic engineering and/or efficient peering with CDNs and content providers. It's not like most large CDNs combine DNS and BGP to load balance requests and localise traffic to the most efficient paths.
It could never be less efficient CDN utilisation forcing use of orders-of-magnitude more expensive paid transit rather than local peering arrangements, or even forcing the big boys to push exponentially growing traffic levels long distance rather than servicing it locally.
Re:Not good but better than nothing (Score:4, Informative)
Just the domain name is incredibly valuable. If you spend a lot of time on OnlineCasino.com or RivalBank.com there are people who would love to know.
An IP addresses doesn't let them identify a site. It leads them to a CDN in most cases.
And in the end, it's definitely better than nothing.
Re:Not good but better than nothing (Score:5, Interesting)
DoH doesn't change this - after the site's domain has been resolved into an IP address, your browser still has to request data from that IP address.
False. DoH does change it, just not completely. There's a big difference between knowing: ://www.pornhub.com/kinky-girls-doing-nasty-stuff/
a) Solandri visited http
b) Solandri visited server www.pornhub.com and initiated a secure connection.
c) Solandri visited 66.254.114.41 an IP owned by a CDN that serves www.pornhub.com, www.fluffykittens.com, www.cathloicpuritanchurch.com
Re: Not good but better than nothing (Score:1)
Re: (Score:2)
Not to mention IPV6. As sites slowly adopt it, we may see more domains getting unique IP address blocks.
Re: (Score:1)
That could just be cover for the police and gov level logs they have to keep and now cant with the exiting logs...
Without having to invest in new tech again...
Re: (Score:2)
Chromes implementation on the other hand where you can't disable it without a Windows PC and full Microsoft active directory with domain based group policies, not just local policies
Chromium's FAQ [chromium.org] states that a split-horizon setup (where some names resolve differently on internal and external networks) will continue to work. In addition, it mentions that users can disable it at chrome://flags/#dns-over-https. Was the plan changed since then?
Re:Not good but better than nothing (Score:5, Interesting)
ISPs are "going bonkers" because the only reason that they are an "Information Service" and not a "Telecommunications Service" (and therefore subject to Common Carrier rules and so-called Net Neutrality) is because they provide DNS. If they no longer provide DNS then they are no longer providing anything at all except a "Telecommunications Service" and the various challenges of Ijit Pie's classification of ISPs as an "Information Service" would be successful, and the ISPs do NOT want that in any way shape or form. They want to be able to sell you various packages of Web Sites for varying prices.
Re: (Score:2)
ISPs are "going bonkers" because the only reason that they are an "Information Service" and not a "Telecommunications Service" (and therefore subject to Common Carrier rules and so-called Net Neutrality) is because they provide DNS.
Except they can still provide DNS service even if few use it.
Re: (Score:3)
They went a level beyond bonkers here, and started warning that DoH was a tool for pedophiles.
Yeah. (Score:4, Funny)
When did Homer Simpson become a network engineer?
Kinks? Really? (Score:4, Funny)
Deliberate miss information (Score:1)
Point (Score:1)
Isn't this pointless? Your ISP knows, and sells, where you go to anyway. As does the web site possibly, too.
Re: (Score:2)
Re: (Score:3)
>"Isn't this pointless? Your ISP knows, and sells, where you go to anyway."
If they only know the IP address, they don't really know where you are going. Many servers have tens, hundreds, or thousands of different websites that have nothing to do with each other, all on the same address but with different site/domain names.
So yes, they know which street you are driving on, but not necessarily which house you are visiting, unless that is the only house on that street. Or another analogy would be they mig
Re: (Score:1)
Fire up wireshark on port 443 and see if you can figure out where your browser is taking you.
From just opening a new tab on FF, I can see that it's making an HTTPS request to 'snippets.cdn.mozilla.net' (as specified in the 'Client Hello' TLS message under the server name extension). And I didn't need to break the encryption or anything - this is part of the handshake before encryption begins.
Maybe TLS 1.3 starts encryption earlier. If not, maybe later versions will. But at the moment, it's trivial to see wh
Re: (Score:2)
Sorry to reply to my own comment, but I have to correct some assumptions I made:
TLS 1.3 appears to (optionally?) encrypt certificates so that they're no longer sent in the clear, and eSNI (encrypted SNI) is an available extension.
So if you're using TLS 1.3 and the appropriate options, then yes the only thing your ISP will have to go on is the IP address. That may be good enough for accessing a lot of sites, but not every website lives on one of the big cloud hosting providers.
Arms race (Score:2)
In the security arms race, the stakes are constantly rising. Will DNS over HTTPS solve some security problems? Probably. Will it solve them all? No.
We've seen most Web sites move to HTTPS. Does this fix all the security problems for Web sites? Hardly.
DoH is a sad jioke (Score:2)
First, your ISP will still know what sites you are visiting. Second, your DoH server will know what names you are resolving. Third, more likely than not, your DoH server will be controlled by some company, like Google or Cloudflare, that will be only too keen to monetize that data. Fourth, DoH is a malware boon - protocol encapsulation over DNS tunnels, which is not that difficult to detect and block with standard DNS, becomes effectively undetectable and unblockable when DoH is used.
DoH does not grant end
wow, failure (Score:2)
Padding or random padding, this is very basic.